I have found quite an interesting article, the source is darkreading.com and the author is Kelly Jackson Higgins. I leave the translation of it:
The Dark Side of Java
Metasploit adds new module for the latest Java attacks when Java becomes the new favorite target of cybercriminals
Dec 01, 2011 | 08:08 PM
By Kelly Jackson Higgins
Dark reading
It is a decadent tool on the part of developers, but Java it remains a primary and still frequently forgotten computer presence that is increasingly targeted by villains.
Why Java as an attack vector?
Its penetrability and the inordinate number of outdated versions running out there on computers are making Java the black hat of choice for hackers lately. The numbers say it all: About 80 enterprise systems run outdated, unpatched versions of Java, according to data from Qualys. And since the third quarter of 2010, Microsoft has detected or blocked approximately 6.9 million Java exploit attempts every quarter, with a total of 27.5 million exploit attempts during that 12-month period.
Overall, 3 billion devices use Java in the world, and 80% of browsers do. Meanwhile, some very security savvy users are disabling or uninstalling it entirely as a precaution.
Developers of the widely popular open source Matasploit penetration testing tool this week added a new module for the latest Java attack that abuses a recently patched vulnerability in Oracle's Java implementation, Rhino. The flaw in Oracle Java SE JDK and JRE 7 and 6 update 27 and earlier versions, which was initially announced by researchers here y here and then quickly came to fruition in an underground crimeware kit, as blogger Brian Krebs discovered in Your Website. Krebs On Security reported that the attack was also being run within the BlackHole crimeware kit.
«Java is wherever it wants, and nobody updates it properly«Says HD Moore, creator and chief architect for Metasploit and CSO at Rapid7. «Very few companies update it on their computers.»
“Oracle does offer an auto-update feature for Java, but it requires administrative privileges for the computer user to use it, something that most companies don't allow"Says Moore.
Microsoft's director of Trusted Computing, Tim Rains, earlier this week pointed out in a post that patched bugs in Oracle's Java software have been under siege for months. «Vulnerabilities in Oracle's Java software have been under attack on a relatively large scale for several months now, and as I mentioned, security updates for these vulnerabilities have been available for some time.»Says Rains. «If you have not updated Java in your environment recently, you should assess the risks present. Among other things, organizations need to be aware that they can have multiple versions of Java running.", He says.
Oracle's Java flaw, which was patched by Oracle last month, basically allows a Java applet to run arbitrary code outside of the Java sandbox. Rapid7's Moore says that the so-called Java Rhino Exploit (which works on multiple platforms, including Windows, iOS, and Linux) occurs in the background, unconscious to the user hit by the exploit. Interestingly, Linux is now more vulnerable to attack. «Oracle patched it, Apple demanded a software update. But most of the sellers Linux providers ?? have not required updates"Says Moore.
This is typically used as a first stage in a multi-stage attack, used to download an executable file or by installing a bot.
Wolfgang Kandek, CTO of Qualyx, says tenier Metasploit supporting the latest exploit would help raise awareness about the danger of outdated Java apps. «The benefits of having it on Metasploit is that the nice guys can demonstrate how this [attack] works", he says.
Many of the organizations found running outdated Java apps on Qualys' customer data were large companies, he says. «There is a tendency of not having good processes for patching Java. He flies under the radar", He says.
———– And here the article ends.
Undoubtedly, this has a lot to do with what we mentioned before ... that is, regarding what Canonical will stop offering Java from Oracle in its repositories (Ubuntu, Kubuntu, Xubuntu, etc), well obviously, yes Oracle does not allow updates to be included, it is not worth it, as the user would be too vulnerable to attacks such as those mentioned above.
Anyway, what do you think about it? 😉
regards
PD: Just yesterday I was reading a tutorial about how it is possible to install Linux on my Nokia N70, I still haven't decided to do it LOL !!!
I've been using IcedTea (OpenJDK, free) for a long time and I almost always have it disabled because I barely use it ...
I have little, about 3 months using OpenJDK, I did not know exactly the security flaw in java, I changed it just to see how libreoffice worked 😛
I know this is almost offtopic but… Linux on Nokia? As? If I can take the symbian m___ out of my 5800 I'd be delighted!
Did you know that Symbian is Linux's first cousin? 😀
Anyway, I still don't read enough information about this Linux on Nokia ... don't worry, when I find some decent information I'll give you the links 😉
KZKG ^ Gaara… don't bother with me but… there are some errors in the translation, for example:
1 .- «… are making Java the black hat hacker's choice of late» should be «.. lately they make Java the choice of malicious hackers»
2.- "Vendor" in English also means "Supplier" ("Supplier") so the phrase "But most Linux vendors ..." remains without any problem "But most Linux vendors ..."
regards
Nah for nothing 😀
It really doesn't bother me, I'm not a professional translator, much less LOL !!!
I fix it right now 😉
Really, thank you very much, understanding English is not difficult for me, what is a bit complex for me is writing it and ordering it in Spanish 😀
regards
: )
The same thing happens to me with Spanish; Phrases containing local expressions are hard for me to understand. Although they are at least some still escape me.
"Black hat hacker" is an expression used to designate the malicious hacker and it is certainly a fuss to translate it into Spanish.
Greetings and a strong hug
I don't know but I am aware that "conscious" does not appear in the RAE dictionary.
We also have Linux vendors like Tito Mark and his henchmen
Let's see ... my laptop is Made in China, but the QUALITY control is HP's B series, that is ... the components are manufactured in China (cheap labor ...) but who decides which components are good enough is the manufacturer 😉
"Oracle does offer an auto-update feature for Java, but it requires administrative privileges for the computer user to use it, something that most companies do not allow"
"There is a trend of not having good processes for patching Java."
So the problem is not Java but that users do not have the habit of updating it, is it?
Honestly, the problem with java is security, if we compare it with flash it is 20 times more secure java, the problem is that it is a language that crawls. it's sexy to learn but it's a nightmare LOL!
I wanted to say * not so security *
Many times we are not given the possibility either, Oracle with its restrictions.
For my part I am using OpenJDK, and so far no complaints 🙂
I tried in Debian Squeeze to uninstall the sun-java and go back to the default ones, and a… that in the end I quit.
the truth is that java was a good alternative a long time ago now it's just a lot of problems 🙁
One of the dependencies in Mexico is SAT and IMSS, which ensures that you have to use very old versions of more than 3 years, because if you cannot enter their portals.
I work mostly with administrative users and they never update anything and they use java for many government programs and that necessarily require certain versions that include large vulnerabilities, this is also a subject that institutions like the IMSS and the SAT in Mexico should take more seriously keep your applications and no longer distribute software created in 2004 or earlier with such problems
Well, I have used sun-java for quite some time and the truth is that I have no complaints getting the results I have always wanted and even going a little beyond the conventional. The openjdk for development is not something that I would recommend to anyone although I suppose that is my criteria. Cheers